| 1 |
I was poking around my system today and noticed a log that I never knew |
| 2 |
existed. |
| 3 |
|
| 4 |
/var/log/pwdfail/* |
| 5 |
|
| 6 |
Much to my surprise, I see all these entries (hundreds) from some 'blankety |
| 7 |
blank blank' trying to hack my server!! |
| 8 |
|
| 9 |
daevid pwdfail # cat current |
| 10 |
Sep 17 13:00:25 [sshd(pam_unix)] authentication failure; logname= uid=0 |
| 11 |
euid=0 tty=ssh ruser= rhost=61.103.229.40 |
| 12 |
Sep 17 13:00:27 [sshd] Failed password for invalid user webmaster from |
| 13 |
61.103.229.40 port 49431 ssh2 |
| 14 |
Sep 17 13:00:29 [sshd(pam_unix)] authentication failure; logname= uid=0 |
| 15 |
euid=0 tty=ssh ruser= rhost=61.103.229.40 |
| 16 |
Sep 17 13:00:31 [sshd] Failed password for invalid user oracle from |
| 17 |
61.103.229.40 port 49556 ssh2 |
| 18 |
Sep 17 13:00:33 [sshd(pam_unix)] authentication failure; logname= uid=0 |
| 19 |
euid=0 tty=ssh ruser= rhost=61.103.229.40 |
| 20 |
Sep 17 13:00:35 [sshd] Failed password for mysql from 61.103.229.40 port |
| 21 |
49660 ssh2 |
| 22 |
Sep 17 13:00:37 [sshd(pam_unix)] authentication failure; logname= uid=0 |
| 23 |
euid=0 tty=ssh ruser= rhost=61.103.229.40 user=root |
| 24 |
Sep 17 13:00:39 [sshd] Failed password for root from 61.103.229.40 port |
| 25 |
49769 ssh2 |
| 26 |
Sep 17 13:00:41 [sshd(pam_unix)] authentication failure; logname= uid=0 |
| 27 |
euid=0 tty=ssh ruser= rhost=61.103.229.40 user=root |
| 28 |
Sep 17 13:00:43 [sshd] Failed password for root from 61.103.229.40 port |
| 29 |
49879 ssh2 |
| 30 |
|
| 31 |
I figure there should be a script someone has written that will parse this |
| 32 |
and automatically add these unique IP addresses (sans redundant ones) to my |
| 33 |
/etc/shorewall/blacklist |
| 34 |
|
| 35 |
Google for "shorewall pwdfail" doesn't have very many results though, and |
| 36 |
the ones there are in german or something. |
| 37 |
|
| 38 |
-- |
| 39 |
gentoo-user@g.o mailing list |
Archives